Stack Auth is an open-source alternative to proprietary auth services like Auth0 and Clerk, designed for developers who need full control over user authentication and management without vendor lock-in. It provides a complete suite of authentication features—including email/password, magic links, OAuth, passkeys, and M2M authentication—along with a built-in user dashboard and role-based access control. Built with TypeScript and optimized for Next.js, it supports both headless and UI-integrated workflows and can be self-hosted or used via its managed service.
The platform is built on a modular architecture using React components, a REST API, and server-side primitives like route handlers and server components. It integrates with Docker-based dependencies (PostgreSQL, Inbucket, Prisma) and supports deployment anywhere, with full data portability. Its ecosystem includes shadcn/ui components, webhooks via Svix, and seamless integration with third-party OAuth providers like Google and Outlook.
What You Get
- <SignIn/> and <SignUp/> components - Pre-built, themable React components supporting email/password, magic links, and OAuth with dark/light mode support, requiring no design or logic implementation.
- User dashboard - A full-featured admin interface to filter, search, edit, and analyze users, eliminating the need to build an internal user management tool from scratch.
- Multi-tenancy & teams - Built-in organization and team structures with email invitations and team-specific permissions, designed for B2B SaaS applications scaling to millions of users.
- Role-based access control (RBAC) - Define arbitrary permission trees and assign roles at user or organization level, with granular control over resource access.
- Third-party OAuth token management - Automatically handle OAuth token refreshes and scopes for services like Google Calendar and Outlook, exposing tokens via a single function call.
- Passkeys support - Enable passwordless authentication using biometrics or security keys across devices, compliant with WebAuthn standards.
- Impersonation - Securely log in as any user for debugging or customer support, with audit trails and session isolation.
- Automatic customizable emails - WYSIWYG email editor for triggers like sign-up, password reset, and email verification, powered by Inbucket for local testing.
- User session & JWT handling - Automatic management of access tokens, refresh tokens, and cookies with optimal performance and no manual JWT configuration required.
- M2M authentication - Issue short-lived access tokens for machine-to-machine communication between services without user interaction.
- Webhooks via Svix - Trigger real-time events (user sign-up, login, etc.) to external services like Slack, databases, or CRMs with built-in retry and delivery guarantees.
- Headless SDK - Use low-level APIs to build custom UIs while retaining all backend functionality, compatible with any frontend framework.
Common Use Cases
- Replacing Auth0/Clerk in a SaaS startup - A founder migrates from Clerk to Stack Auth to avoid vendor lock-in, gaining full data ownership and RBAC while reducing monthly costs.
- Building a B2B SaaS with team permissions - A product team uses Stack Auth’s multi-tenancy to manage enterprise customers with org-wide roles and team-based access controls.
- Adding passwordless login to a mobile-first app - A developer implements passkeys to improve conversion and security, leveraging Stack Auth’s WebAuthn integration without managing key pairs manually.
- Managing OAuth integrations for a productivity tool - A startup connects Gmail, OneDrive, and Calendar APIs to their app using Stack Auth’s token management, eliminating custom OAuth flow code.
- Debugging user issues in production - A support engineer impersonates a user to reproduce and fix a bug without needing their password or compromising security.
- Automating user onboarding with webhooks - A company triggers Slack notifications and CRM updates when a new user signs up using Stack Auth’s built-in Svix webhooks.
Under The Hood
Architecture
- Monorepo organized via pnpm-workspace.yaml with cleanly separated packages for backend, dashboard, SDKs, and documentation, enabling independent development and deployment
- Backend enforces strict separation of concerns using dependency-injected services for authentication, data access, and HTTP handling, powered by @node-oauth/oauth2-server and Prisma
- Event-driven workflows decouple core authentication from analytics and audit trails using S3 and ClickHouse, with background jobs managing async operations
- Distributed tracing and observability are natively integrated via OpenTelemetry, complemented by structured logging and metrics instrumentation across services
Tech Stack
- TypeScript monorepo with Next.js 14 and React 19 for the frontend, enhanced by Vite plugins and path aliasing for optimized development
- Backend leverages Node.js with Express-like patterns, Prisma for PostgreSQL, and ClickHouse for analytics, alongside AI integrations via @ai-sdk/openai
- Comprehensive testing stack includes Vitest, @testing-library/react, and jsdom, with extensive ESLint and TypeScript configurations ensuring type safety
- Infrastructure is containerized via Docker Compose with custom scripts for database dependencies, while Turbo and pnpm orchestrate build and code generation pipelines
- CI/CD and local development are automated through custom shell scripts, dotenv-cli, and wait-on, with Sentry and PostHog providing real-time observability
Code Quality
- Extensive test coverage spans unit, integration, and end-to-end scenarios, using custom utilities and snapshot matching to validate API behavior and permission logic
- Clear separation of test concerns through reusable helpers that encapsulate setup logic, improving readability and maintainability of test suites
- Standardized error responses with explicit error codes and consistent HTTP status codes enhance client-side recovery and system observability
- Strong type safety is enforced end-to-end via TypeScript, with shared interfaces for APIs, email templates, and database models reducing runtime failures
- Robust linting and testing pipelines are embedded in CI/CD, with consistent naming and project structure enforcing quality across the codebase
What Makes It Unique
- Unified HTTP route handler with dynamic 404 fallbacks eliminates boilerplate and enables automatic endpoint discovery
- AuthCard component delivers a distinctive, branded UI experience with immersive visual design that unifies documentation and user interfaces
- MDX-based API documentation auto-generates interactive references from code annotations, creating a living, self-documenting system
- Embedded versioned migration logs serve as a living audit trail, tightly coupling code changes to deployment history
- Seamless synchronization between backend routes, UI components, and documentation via generated SDKs and shared type definitions, eliminating context switching